Skip to content

Enabling Tags Synchronization to Apache Ranger from Discovery

Discovery can sync the tags to Ranger after a successful scan. Tags which are classified in Discovery are mapped to corresponding Service Repository in Apache Ranger. This service repository needs to be configured while enabling the Ranger Tag Sync feature. By default the Service Repository starts with the prefix privacera_ followed by the datasource name. For example, for AWS S3, the service repository name is privacera_s3. The sample list of service repositories can be found here.

While enabling the Ranger Tag Sync feature, you can also configure additional properties for the data source.

  1. Sending Inherited Table Tags To Ranger: If the data source is a table, then you have the option to sync inherited tags to Ranger. By default, this option is enabled.

⚠ Limitations

Here are some limitations of the Ranger Tag Sync features:

  • If the tags are deleted from Ranger, then the tags won't be automatically re-synced from Discovery.
  • Attributes for tags in Discovery are not synced to Ranger.
  • This is a one-way sync from Discovery to Ranger. Any changes in Ranger won't be reflected back in Discovery.
  • Existing tags before enabling the Ranger Tag Sync won't be synced to Ranger. Only the tags classified after enabling the Ranger Tag Sync will be synced to Ranger. However, the existing tags can be manually synced to Ranger by scanning the datasource using on-demand (offline) scan.
  • Disabling the Ranger Tag Sync will stop the sync of tags to Ranger. However, the existing tags in Ranger will not be deleted.

Prerequisites

Prerequisites Description
Tag Synchronization Enabled Discovery need to be configured with Apache Ranger Credentials
Service Repo Name Name of the service repo name to which the tags should be sync'ed to. Here are the sample repo names.
Ranger Service User User with admin privileges to create tags in Ranger. For Self Managed, the installation will automatically configure the service user, but for Data Plane deployment follow this step to create the Ranger Service User

If you have customized the service repository name or created a new service repository, you need to provide the same service repository name in the Discovery configuration.

Setup

The steps to enable the Ranger Tag Sync feature are the same for Self Managed and Data Plane deployments.

For Data Plane deployment make sure you have created the Service User and the Privacera Manager is configure and the Privacera services have been restarted

  1. Log in to Self Managed Portal or Discovery Admin Console.
  2. Navigate to Settings -> Data Source Registration
  3. Click on the Edit (Pencil) icon for the data source you want to sync tags to Ranger.

  4. Under Application Properties section, update or add the following options:

    1. Scroll down to the Enable Ranger TagSync option and enable it.
    2. For sources which are databases you can enable the Send Inherited Table Tags To Ranger option. Valid values are true or false. By default, the value is true.
    3. At the bottom of the page go to Add Custom Properties section and add the following properties:
      1. Cluster Name : You need to enter privacera as a default value for this field.

      2. Service Name : Use the service repo name for the datasource. e.g. privacera_${datasource_name}.

        Example (replace service_repo_name with the actual service repo name)
        1
2
        cluster_name=privacera
service_name=${service_repo_name}

        If the property is already present, update the value with the new service repo name.

  5. Click SAVE

Validation

  1. Scan some sample resources for the data source and ensure that the tags are classified and shows in the Discovery Classification tab.
  2. For Self-Managed, log in to the Privacera Portal; for Data Plane, log in to your PrivaceraCloud Portal.
  3. Navigate to Access Management > Tag Management
  4. Under the TAGS tab, validate whether the Classified Tags are visible in the portal.
  5. Under the TAGGED RESOURCES tab, validate whether the resources that were scanned and classified in the portal are visible.
  6. Resource Filter: You can make use of resource filter for searching resource with associated synced tags of it.
  7. Service Filter: You can get the list of all services in this field and by selecting appropriate service repo you have configured this connector.
  8. Tags Filter: You can get the list of all Synced Tags in this field and by selecting appropriate Tag you can validate whether its synced for particular resource or not.

Comments